Collision repairers should beware of unexpected third-party usage of customer, insurer and shop data available through the CIECA Estimate Management Standard, the Society of Collision Repair Specialists warned last week, and both organizations offered tips on how to better safeguard your information.

The Collision Industry Electronic Standards Association has succeeded EMS with the more secure Business Message Specification, but EMS is still widely used by collision repairers on AudaExplore, Mitchell and CCC. Which is a shame, because EMS can leave shops open to a major concern.

CIECA describes EMS as a “flat file” versus a series of specific “messages” under BMS. Under EMS, all data related to an estimate can be exported to a party (such as an estimating service/information provider, car rental company or jobber) who has requested the file from a collision repairer — not just the portion needed to accomplish whatever businesses the auto shop needed to transact with that party.

Think of it like the autocomplete features on Google Chrome or other Web browsers, which store your answers to a various of online forms and fill them in automatically when they encounter a relevant field (“Address” “Name,” etc.) But consider what would happen if a website that merely wanted you to complete “Name” and “Email” received all the answers from the other forms you’d filled out that day.

That’s essentially what happens with EMS if you’re not careful to specify who gets what you’ve prepared in AudaExplore, CCC and Mitchell — and/or have very specific terms of use agreements with all your vendors — regarding the “data pumps” used under the system.

And Iantorno’s example involves a company to which you actually wanted to send data. It’s also possible for someone else to be receiving your data without your knowledge — and then sending it to another party — according to SCRS. Without something in writing, you can’t cry foul — but you could still face complaints from customers and vendors for not safeguarding their data.

“Unfortunately, there are other scenarios where data pumps can be loaded on your computer without your consent or knowledge. They could be potentially installed by outside sales representatives visiting your business, be a part of a software or online program that you use in your business albeit unaware of the data collection properties, or in some cases outside call centers may call in and ask your staff to request remote access to you server to correct a connection issue on a program,” SCRS warned in a news release also published in its July newsletter. “These examples have all happened, and while they may be legitimate in many cases, it is important to know what pumps are on your system, and that the information is only going to the sources you intend it to go to. …

“Because many of these third party applications employ ‘sweepers’ (applications that watch for the EMS file to appear in a directory and then copy it and transfer it to another application) it’s very difficult to identify when a file is being ‘swept’ since it happens in less than a second, in the background operations, and does not leave a trace.”

The security of EMS data was raised this year when a collision repairer faced getting suspended from a direct repair program after a VIN database obtained a customer’s loss information. The VIN service confirmed it didn’t get that information directly from the information provider or the repairer, leaving that shop off the hook “but it further reinforced the need for collision repair business owners to have protocol in place to maintain control of information and data generated by their business,” according to SCRS.

The solution is to configure your software to send only specific EMS information instead of just letting everyone access the same file.

“It’s always more secure when you direct it,” Iantorno said. “… That’s the best and most secure way of implementing it.”

BMS

The alternative is switching to BMS, which is “smart” enough to transmit only the specific fields requested by your vendor — and it even tells you that it was received. That’s invaluable both for efficiency and as a security measure: If an unanticipated “data pump” was running in the background, you’d theoretically know as soon as it sent the first message to the source.

Plus, BMS is just preferable from the point of the view of your IT department, according to Iantorno.

“There isn’t a tech person out there that wants to deal with 1980s and 1990s file structure,” he said.

But BMS interest and adoption has been limited in the collision repair industry, and so AudaExplore, Mitchell and CCC haven’t had the demand to provide it for shops the way they’ve been asked to do by several insurers, rental companies and jobbers, according to Iantorno.